Injection and Command Injection in devcert

Severity:: High

Description

A command injection vulnerability in the devcert module may lead to remote code execution when users of the module pass untrusted input to the certificateFor function.

Recommendation

Update the devcert package to the latest compatible version. Followings are version details:

Affected version(s): <= 1.1.1
Patched version(s): 1.1.2

References

GHSA-4228-7qvx-f4rq
hackerone.com
CVE-2020-8186
CWE-74
CWE-77
CWE-78
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Command Injection Vulnerability in systeminformation - systeminformation - CVE-2020-26274
Command Injection in systeminformation - CVE-2020-26300
OS Command Injection in devcert-sanscache - CVE-2019-10778
OS Command Injection in systeminformation - CVE-2020-7778

How do hackers hack websites?

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:: npm; devcert

Anything's wrong? Let us know Last updated on February 01, 2023